Replacing the Microsoft SecureBoot key with my own PKI key is perhaps #3 on the list of things I do when configuring a new computer before ever installing a hard drive or OS - following enabling vPro AMT and then the BMC manager if present.
If I am unable to replace the master SecureBoot key with my own, that machine is getting packed up and sent right back to the OEM as defective.
I only buy OEM systems for work and build systems for home use. But the HP account for work sees a couple hundred computers a year, which isn't all that many when speaking "volume purchasing", but will instantly become zero if they choose to lock me out at the BIOS level.
It's already annoying enough that they ship hard drives completely unsuitable for use and requiring formatting (we aren't large enough for custom disk images or custom SLIC BIOS entries yet) - but at least this is only an annoyance and not out right sending defective equipment, which is the only possible definition for locking you out of the system at the firmware level and not allowing any OS to boot.
(By "any" I don't mean less than one, I mean literally any OS)